Saturday, November 6, 2010

I have many pet-peeves. One of them is people claiming that scientific theories have been "proven." And I find that no more aggravating than with the "theory" of evolution. That is wrong on two counts:

Scientific theories are NEVER proven.

Evolution is NOT a scientific theory

The first one is quite simply a result of the nature of scientific investigation. Science moves forward by demonstrating old theories to have been wrong. No theory no matter how consensual can ever rest on its laurels confident that no-one can attack it. If you want proofs, go do math! But if you're doing science, you demonstrate. (On a good day)

As for the second, I would first like to provide a disclaimer. I believe in evolution. I love evolutionary game theory to explain and describe all sorts of phenomena. I think evolutionary biologists (or as my microbiologist friend says: "the computer scientists who wandered in my department") have the coolest job ever. I don't even believe in god or anything intelligent which would have or be creating or designing or guiding the world/universe/cows. But, evolution is not a scientific theory. Why do I say that?

Let us look at what scientific theories are. For something to be a scientific theory, it has to be falsifiable. People sometimes add on all sorts of other criteria but trust me, falsifiability can be found at the source of all other criteria. So what is falsifiability? To put it simply, it has to be conceivable to demonstrate the theory to be false. Is practice, what that means is there needs to exist an experiment (natural or artificial) which if it is performed and certain results come out, the theory can be pronounced false. For instance, I have the theory that: The sky is blue. It is possible for me to peek my head out, look up and see what color the sky is. If it is not blue, my theory was false. "The sky is blue" is therefore falsifiable. You will however notice that for that experiment to work, we need well defined terms. (Or operationalized variables as we sometimes say in academia) Let us consider that we define the word blue as being: "The color that the sky is." Well now, what my theory is really saying is: "The sky is the color that the sky is." That is tautological. There is no experimental outcome which would show that statement to be false. As an alternative consider the idea that we have not defined "blue" prior to the experiment. I could stick my head out the window, look and and say: "The sky is blue" no matter what I saw! In that case again, the theory would not be falsifiable.

Unfortunately, it is not enough to have an experiment. One must have a competing theory which predicts an alternative empirical result. The most basic competing theory is the negation of the theory: "The sky is not blue." However, competing theories can be quite complex themselves: "You live under a dome which never shows you the sky." If that theory was to be the competing theory, sticking your head out the door of your house would be insufficient. You must further demonstrate that the is no dome perhaps by constructing some sort of ladder or flying up in a rocket. This may seem silly but that is the very principle upon which science is built. A theory is always assaulted by competing theories which contend to explain more or better the universe around us. So for instance, Newton's theory of gravity was demonstrated to not be as accurate as Einstein's theory of gravity when a set of measurements were taken which better matched Einstein's theory than Newton's. So now that we are armed with knowledge and therefore power, let's look at evolution.

At its most basic, evolutionary "theory" simply says that random mutations occur in the population and those mutation which confer an advantage will result in the individuals passing on these mutations to its children thereby spreading those mutations. So how do we test that? Well, it is quite simple. One must simply look at a mutation that confers an advantage and see if that mutation spreads to the rest of the population after enough generations. (And do the experiment a thousand times in order to account for random and non-random factors) Easy? Well not so fast! How can you tell if a mutation confers an advantage? Evolutionary theory does not tell us anything about that. That is a crucial problem because after running my experiment and seeing that the trait does not appear to spread, I can safely claim that the trait was not actually advantageous. Perhaps it was disadvantageous. In other words, the variables cannot be correctly operationalized.

So now let's pit evolution vs it's greatest nemesis: intelligent design. Here, the resemblance in both stories is stunning. Intelligent design simply replaces natural selection and randomness with the hand of god. (or whatever other entity you choose to place) Of course, one cannot know what god wanted ex ante (latin for before the fact) so, whatever the outcome is can be safely described as being the result of the hand of god. Intelligent design and evolution fall in the same trap of not being falsifiable.

Saturday, October 16, 2010

Washington is and has been in uproar about the Chinese manipulating their currency, keeping the Yuan artificially low. Whether this is true or not is a matter of debate, but not the one I want to have. Let's just take for granted the idea that China is keeping the Yuan artificially low. Please China, I beg you, keep doing it!

Most of you out there think China doing currency manipulation is good for China and bad for the USA. Well, that's because you listen to the wrong people. Well gather around and let me tell you a story. (A prime skill I developed as an economist) So the Chinese are keeping the Yuan too low. Therefore, when they sell a product for $2 in the US, they get more Yuans back than if the market was allowed to act. Since Chinese businessmen pay their bills in Yuans, they realize rapidly that they can sell their widget for $1 instead of $2 still pay their bills and make a profit. Now, this sounds amazing! While before the widgets cost $2, they now cost $1. As consumers, we all rejoice. But wait tell us the big bad economists, what about the American toy makers? Well the American widget makers can't make their widgets for less than $2. So, we the consumers don't buy from the American widget makers as much anymore. So the poor American widget maker lays off poor American workers who are all very sad. Now, this is bad! As workers we cry. Well now look at the other effect. Because the price of widgets has gone down, the cost of living fell with it. So, employers can pay employees less cash and still make them as well off as before. This gives an opportunity to also drop other prices. So in the final count, you have some people in some industries that have lost their jobs or had their companies close down. But the cost of living has decreased for everyone dropping the cost of labor. In effect, when the Chinese artificially lower their currency, they subsidize your consumption.

Furthermore let's look at what happens in China. Currency devaluation requires selling lots of Yuan. Especially when you export that much. So, in order to do that, China has to print money. Which causes inflation. Inflation is quite painful. It discourages investment and saving. So the Chinese are kindly enough paying the price for our lower prices by paying higher prices themselves. Sure, some people in their export industry benefit, but everyone looses over there. So please China, keep screwing over your own population so I have a better standard of living!

Thursday, September 2, 2010

Next election, I'm not voting. Period. Now, I'm sure that some well polished liar will manage to convince me to get off my behind and get to a voting booth. Or more likely, my wife will guilt me into doing my "citizen's duty." But I can tell you, if I had an opportunity to not vote right now, I would take it.

Now, there are many reasons not to vote. Your vote doesn't count. No, really! It really doesn't count! Do the math. When was the last time an election of any importance was decided by 1 person? Even by 100 people? You probably don't know enough to make an informed decision. How many of you know anything about the major economic, political and military issues? How many of you even know what the current state of affairs is? Enough that you could make a good informed decision? If you think you do go and look at the size of the United States Code. This is the status quo. The possibilities are a trillion times larger. Still think you know enough to make an informed decision? I didn't think so.

Those are not my reasons. My reason is that voting simply doesn't matter. That's right, it plain doesn't matter. I voted for Sarkozy in France and campaigned for Obama in the US. Why? Because I listened to what they said they would do and I thought it was marginally better than the plan the other side was offering. The problem? What they said has nothing to do with what they did. Nothing at all. It's not even close to being an accurate predictor of what they did. It's not that I wish I had voted for Segolene Royal or campaigned for McCain. Their statements were probably not any more accurate predictors of what they would have done. But really, until after it was too late to make a decision (after the election) there was no way to know what the winner would do. And there is just plain no way to ever know what the loser would have done.

There is a saying in computer science which describes this situation: Garbage In, Garbage Out. What it means is that if you feed a computer bad data, it will spit out more bad data. Sure, sometimes by pure chance, the output will be correct, but you can't rely on it. This is what the voting process is. We receive data, and then we output a vote. The data we are fed is garbage. Therefore, so is our vote. I for one will opt out of garbage next time.

Saturday, May 15, 2010

While Paul Krugman has quite an amazing resume, his blog and his TV appearances inspire anything but amazement. He seems to be a poster-child for the idea that involvement in politics may be incompatible with intellectual honesty. Yesterday, he served us on his blog with "Why Libertarianism Doesn't Work Part N".

Basically, he brings up an old Milton Friedman interview in which Milton Friedman says that regulation is unnecessary because if a company messes up, it will be held accountable in front of a court of law by those it harmed. Or as the reporter puts it: "So tort law takes care of a lot of this..." The media coverage of the recent oil spill has made everyone aware of a $75 million cap on damages for oil spills. Unfortunately, when a bill was introduced to raise that bar to $10 billion, the bill was blocked in the Senate by Republicans. (I guess they overheard Obama may potentially like said bill) Of course, if damages are capped (especially at such a ridiculously low level compared to actual damages) then the threat of a lawsuit isn't much of a deterrent to companies acting in ways harmful to third-parties and consumers. And so there is the obvious answer that such bills should not be blocked and probably that we need different people in power. (How about people who can vote for bills by "the other side" for a change?)

But Krugman has found the silver bullet. Of course politicians are corrupt. They always will be. And so "If libertarianism requires incorruptible politicians to work, it’s not serious." Brilliant! Except that it demonstrates that Krugman either lacks intellectual honesty or is incompetent. If the Senate so grossly distorting the liability by private corporations is the failure of libertarianism, what about the failure of agencies in charge of regulation?

Off-shore drilling is heavily regulated. In charge of such regulation is the Minerals Management Office at the Department of the Interior. Those are the people who were in charge of collecting royalties from off-shore drilling, making sure off-shore drilling platforms are safe and that if they have accidents, there are measures in place to recover rapidly and effectively. According to MSNBC's Rachel Maddow (not the most conservative, libertarian or really anything except liberal) those people were caught "doing meth off the toaster over," (never having done meth or any drugs myself at all, I cannot say whether that makes any sense at all...) taking "embarrassingly small bribes" from oil companies, having drunken sex at oil company resorts (what the hell is that?) with oil company lobbyists. Those people are about the last people I would trust with a $5 bill, much less with managing the entirety of the natural resources of a country efficiently and safely.

Of course, it's not as though all regulators are like that and all we have to do is get some people who don't do drugs with industry execs in that office right? Well, not according to Paul Krugman. I mean, if regulation requires non-corrupt regulators, it's not serious.

There is a real debate concerning the role of government. There are intelligent sophisticated honest people on all sides of that debate. Paul Krugman is obviously not one of them. And it annoys me to no end. An ethical economist (or any scientist social or otherwise) makes it clear when he speaks as an economist, and when he speaks as a politician. It may just be that Paul Krugman has completely abandoned all claim to being a rigorous economist to become another biased talking head. But if that is the case, I request that he please ask to not be introduced as an economist. I cringe every time it happens.

Tuesday, May 4, 2010

The Food and Drug Administration is currently considering regulating how much salt can go in prepared foods. Obviously, given that we are in a democratic administration, the republicans feel obligated to dislike this initiative. But they are not the only ones opposed. I am too! (And you obviously care about that.)

First and foremost, a disclaimer: If you have too much salt, it is unhealthy. (beyond the fact that "too much" already implies a negative effect) There are numerous studies which point to the veracity of this statement and quite honestly, unless you get your information from the Salt Institute (I'm sure they are completely objective on the topic) you should already know so. However, that is completely irrelevant.

What I choose to eat is quite simply between me, myself and my food. Now, as it turns out, I do not like prepared foods very much and I try to be a bit careful with salt. But that is a choice for me to make. I am a grown man and I don't particularly like the idea of being treated like a child by anyone. If I want to reduce the salt in my diet, I'll look more carefully at ingredients on packages and pick up the salt shaker less often. I do NOT need the government to intervene in that matter.

Now, in that situation, what should the FDA be doing? Well, there is the point that it shouldn't exist in the first place, but I have a more moderate position: Mandate stricter disclosures. Perhaps create a sign that food manufacturers must place on their products that says: "This product contains unhealthy amounts of salt." Or maybe provide better nutritional education in schools.

Helping people is about providing them with information and teaching them skills, not removing options.

Sunday, March 28, 2010

I was reading EconLog a couple of days back and it brought back to the surface a question I have been asking myself for a while. Why are libertarians so often associated with the right wing? Specifically, why the Republican Party in the USA. Let us look at the Republicans and the Democrats and evaluate them according to libertarian values:

Economic Issues

Republicans advocate for a "small government" which trusts the market to do what it does best. Goods and services are best priced by a free undistorted market. Republicans also advocate fewer taxes (which is a big bonus when it comes to respecting private property) and an unregulated labor market without price controls or contracting restrictions. That is the conventional wisdom.
However, we should not forget things such as the Republican stance on immigration. Republicans are much more likely than Democrats to oppose open borders. Why? Keep American jobs for Americans. In other words: Knee-jerk protectionism. Libertarians realize that the job market is not a pie that you have to divide between foreigners and locals. Instead, an influx of cheap labor drops prices boosts consumption and helps everyone. (Somebody may have lost their job, but overall, we are better off) Also, who loves those rural voters and throws them farm subsidies as often as possible? Also, it is a historical fact that Republicans are much worst at balancing the budget than Democrats. And eventually, that bill is going to come due...

I would give Economic issues to Republicans by a slight margin.

Foreign Policy

Democrats it's well known are all peace loving hippies. That's a far fetched exaggeration, but recently, the Republicans started two wars where neither accomplished a whole lot. Whether it is Afghanistan or Iraq, it is hard to argue with the fact that the Democrats were a whole lot more committed to peace than the Republicans were. Now, it would be unfair to forget things such as the Balkans war which Clinton jumped in, but comparing the recent records of Republicans and Democrats, the Democrats seem less likely than the Republicans to get involved in wars.

I would give the Foreign Policy issues to the Democrats by a slight margin

Social Issues

This is in my opinion where the big difference is. Whether you are talking about abortion rights, gay rights, minority rights, women's rights, etc, the Democrats can carry this one home easily. The Republicans are a whole lot more likely than the Democrats to tell you what you can or cannot do in your bedroom. And that for me is a deal breaker. If we also look at things such as religious freedom and discrimination, it seems the Republicans would be a whole lot more amenable to racial or religious profiling.

Social issues in my opinion go easily to the Democrats.

So, why is it that Libertarians associate so much with the Republicans? Are the economic issues so immensely important that the slight Republican advantage in that area overshadows everything else? I had that chat with a friend of mine recently who said: "Well, I'm in favor of abortion rights and letting whoever want to marry do so, but I'm a white heterosexual guy. It's not my issue. Economic policy on the other hand affects me a lot." I think some of it may be that point. We are closer ideologically to the Democrats, but the dimensions on which we are more "left-wing" are not those most closely aligned with our self-interest. So we are likely to go with the other side. We'll grumble and kick and scream, but in the end, we'll get seduced by a little bit more of free-market. Now the question is: Should we keep on doing that? Or should we switch to the other side?

Thanks to Eolas, I just came accross this amazing video by Eric Whitacre. He is a composer and conductor who apparently is also quite the innovator. For his latest piece of music Lux Arumque, instead of putting together a chorus, he used YouTube. He posted the parts online and made a video of himself conducting with piano on the background. Then, anyone who wanted to could make a video of themselves singing one of the parts. The final step involved collating all the videos and sound tracks together to give the impression of a real chorus. Truly the effect is amazing!

Now, just because I have to, I would like to point out that to my understanding, none of the participants in the chorus has received a single dime. They got paid in fame and probably quite a bit of pride. I'm also convinced that if some are attempting to become professional singers, participating in such a project can only be a boost to their career. As for the organizer/composer/conductor Mr. Whitacre, his latest CD which features the piece is probably receiving a boost in sales as we speak, and he probably is gaining quite a lot of fame in the process which I'm sure he'll monetize somehow.

Sunday, March 7, 2010

I am quite annoyed and tired of people acting like sheep when it comes to analysing the financial crisis. I just got finished watching a Daily Show episode where some guy named Scott Patterson explained to everyone how quants on Wall Street were all just making models with no relation whatsoever to real asset valuation and creating swaps: "these really toxic assets."

The first part where this is wrong is that asset valuation models were not unrelated to actual assets. A lot of those models actually included real economic indicators and real financial data regarding the health of those companies. Secondly, basing a model on past returns does not mean that you are completely disconnected from the asset. It just means that you trust pricing mechanisms to give you information instead of going to collect the information directly. Is that always a good idea? No! Is it always a bad idea? No!

The second error is referring to all derivatives as though they were these evil monstrous things. Derivatives were used for a lot of different things. Currency swaps are used by companies who export or import to limit their exposure to foreign exchange. In other words, they are using swaps to NOT gamble on foreign exchange rates. Futures are used by companies to ensure that the price they pay for their raw materials will be constant for a certain period of time. Airlines use options on oil to limit their exposure to short term fluctuations on the oil market. These are specifically examples of companies using derivatives to NOT make bets. And yes, unless there is a speculator on the other side to take the risk off your hands, very often that transaction won't be able to happen.

Third, I would like to address the issue of "swaps these really toxic assets." I assume the guy was talking about Credit Default Swaps. Those turned out to be a huge problem for a simple reason: They were heavily traded amongst financial institutions and they were over the counter. What that means is that instead of being bought and sold, positions were closed by writing a new CDS. So let's say Bank A sells a CDS to Bank B. Now Bank B doesn't want a CDS, but it can't sell the one it has. So it writes a new one and sells it to Bank C and so on an so forth. Normally, it works great. Except that if suddenly it's time for Bank A to pay Bank B and Bank A doesn't have the money, Bank A fails. And if Bank B was counting on Bank A's money to pay Bank C, well Bank B might fail too and so on and so forth. And the problem was, nobody knew who owed what to whom. Which meant that there was a lot of fear that maybe the bank you do business with usually might fail despite looking healthy because the people it bought a CDS from can't pay. It's called counterparty risk. It's not that CDS were "really toxic assets." It's that there was a lack of information and a lot of paranoia.

Fourth and last, I want to advise anyone listening to the show to listen to the part when Patterson starts talking about what quants did that was risky. Apparently "hedging" made the list. Hedging is a strategy which consists in... reducing your risk! What part of reducing your risk is really risky? Oh sure, when done improperly, it can blow up in your face, but hedging is by definition NOT risky.

I am to be honest sick and tired of the approximations that people make about the financial crisis. Not everyone has to be a brilliant economist like yours truely, but instead of following everyone like a sheep, think for yourself for a little bit. Find information. You think that derivatives destroyed the world? Look up what derivatives are and learn how they were used. You'll find out that there was a lot of stuff going on and that while some was not prudent by a long shot, a lot of it was quite frankly not a bad idea for the people without the benefit of 20/20 hindsight. It's really easy to point the finger at someone and lynch them with everyone else. It's much harder to try to figure out what complex set of circumstances led to the current situation. And honestly, the comments that guy is making are not encouraging much thought.

Friday, February 19, 2010

When the financial crisis first started, I had a front row sit. As an investment analyst with a small financial advisor, it was my job (among many others) to keep an eye on the financial new and keep everyone appraised of what they had already read on Bloomberg. So when Bear Stern started giving signs of fading, (by which I mean screamed in agony) and JPMorgan started salivating at the smell of juicy interest obligations with low risk thanks to the Fed decided to altruistically help the Fed in rescuing the economy, I was able to start pondering the concept of "too big to fail."

My first reaction was: "Let them burn." Those were actually my words. I am a little bit of a libertarian and I tend to think that if a firm makes poor decisions over and over again, it should fail and allow other better firms to take over. At the very least, a lesson would be learned. I held on to that belief for quite a while and have not completely given up on it, but as times past by, I realized that 1) despite my grumbling, tax dollars were going to rescue those big banks and 2) I did not really want another Great Depression just to teach those guys a lesson.

Having given up on my insignificant campaign in the comments of financial blogs to advocate letting banks fail, I started joining the ranks of those who believed that at the very least, if you are too big to fail and you get rescued, part of the deal should be to make you small enough to fail next time. That felt very clever, but those words always left me with a bad after-taste which I ignored for quite some time.

Recently, I started thinking about the concept of too-big-to-fail within the context of the systemic risks and factors central to this crisis. (Now, many people will try to tell you that the crisis was due to greed, Clinton or Bush. Don't listen to them. In fact, if anyone claims to explain this financial crisis in less than a 10 page essay, they are either summarizing a very intelligent argument, an idiot or lying. Most likely, it is not the first.) The big culprits were poor loan origination practices which were focused on closing a deal no matter what the deal was and the lack of understanding of many mortgage-backed securities. (I refuse to say "lack of clarity". Those securities were very clear, they were just complicated requiring something beyond cursory examination to understand. If you bought a computer without reading the specs and it failed to do what you wanted, you would not call the computer obscure. You would call your buying process uninformed.) The combination of these two factors created a huge understatement of systemic risks throughout the financial system. That understatement lead to an over-evaluation of those securities which gave us the crisis when that stopped being the case.

Now, if instead of having a couple of very big banks, we had many small banks, the differences would have been quasi-nil. I spoke some time ago with an executive at a firm which hired loan officers. Now, when you meet a loan officer, you may feel that you are talking to a perhaps eager, but level-headed guy pretty low on the totem pole. The truth is, the best ones among them were rock stars. If you can originate enough loans, banks will offer anything to bring you on-board. That created a competition where tying compensation to repayment of the loan quasi-impossible. Because if you try to better align your loan officer's compensation to your firm's interest, he'll go find a job with another firm. And if that happens, your competitors will eat you up and you will not last long enough to see your smart long-term planning vindicated. By having more smaller firms with less market power you would have even more competition for those star underwriters further exaggerating that tendency to short-term thinking. When it comes to the wide-spread use of these over-priced securities, it does not matter whether the firms are big or small. Everyone was using them from pension funds in Sweden to the big firms on Wall Street. Breaking up Citibank into 50 small banks would have done nothing to prevent the crisis.

The truth is, it was not those big firms that were in difficulty and too big to fail. It was the entire financial services industry. And so concentrating on making sure Citibank is not "too big" or ensuring Goldman Sachs cannot topple the world economy will solve no problem. The waves of failures of hundreds of small banks would have pulled us into a Great Depression just as surely. In fact, the size of those big banks and the industry concentration allowed the government to more efficiently use its resources. When Bear Stern was failing, Ben Bernanke had their executives in his office within hours and a plan could be hammered over the week-end. Can you imagine the government having to negotiate a rescue plan for hundreds of small failing banks simultaneously? It would take months and chances are that by the time the government acted, it would be too late.

Tuesday, February 16, 2010

Bryan Caplan over at EconLog is asking how normative economics should be. For those of you who may not know, normative means "pertaining to a norm" and is opposed to positive. In other words, normative statements tell you what should be which positive statements tell you what is. (I am flashing back to first day High School Econ class)

I for one believe that economics should never venture into normative statements because it then ceases to be economics. Strong opinion, I know, but hear me out: The social scientific method relies upon building testable, falsifiable theories which allows us to gain predictive power. How do normative theories measure to that standard?

A normative theory is effectively a positive theory with something added at the beginning and the end. Take for example the theory of comparative advantage. A very simplistic version states that unrestricted trade through specialization leads to greater prosperity. At the beginning, add "We should do things that lead to prosperity." and at the end add "Therefore we should do unrestricted trade." At best those statements are irrelevant, at worst, they make the theory untestable and therefore unscientific. If the actual conclusion is: "We should do unrestricted trade," the theory is untestable. You cannot take facts, compare them to that statement and determine whether those facts infirm or confirm the statement without bringing in the original statement that "We should do things that lead to prosperity." But, if you bring in that assumption, you are redefining the word "should" such that the actual conclusion is: "Unrestricted trade leads to prosperity" And at that point, you have not added anything with the normative statements.

Furthermore, when you bring in an assumption, you are opening up the field for its discussion. However, how can you discuss "We should do things that lead to prosperity" as an economist? The answer is, you can't. You are doing philosophy, politics, religion which are noble pursuits (or at least can be) but you are not doing economics.

The only valid answer as an economist when asked what should be done is to say: "Tell me what you want, and I will help you get it." But to pretend that economists know what should be done is simply preposterous.

Tuesday, February 9, 2010

Apparently, South Carolina has found the silver bullet to the issue of terrorists and other subversive groups: make them register. You may think this is a joke, but the Subversive Activities Registration Act (South Carolina House website) appears to be very real. If you or your organisation intends to overthrow the United States Government, the government of the State of South Carolina or any of its subdivisions by "force or violence or other unlawful means" (Section 23-29-20-1) are an organisation "subject to foreign control" (Section 23-29-20-2), or are a "Foreign Agent" (Section 23-29-20-3) you must register to the Secretary of State of South Carolina within 30 days (Section 23-29-50) using this conveniently provided form... in duplicates. Remember to pay the $5 registration fee and to include a self-addressed envelope for them to send you... I'm not sure what. I hope that you get a Subversive Agent Certificate but I doubt it. If you do not register, you may be subject to a fine not exceeding $25,000 and/or a prison term not exceeding 10 years. (Section 23-29-90)

For all you crazies out there who may think that the government you are trying to overthrow is trying to unfairly restrict your rights, I direct your attention to Section 23-29-30 which guarantees that registration as a subversive will have no effect on your freedom of speech and freedom of the press. There... Feel better?

Now to be fair, as I understand it, advocating to overthrow the United States government is not technically illegal as long as you don't do anything about it. So this may just be a not very subtle way to fight against militias and other groups who will surely not fill out the form nor pay their $5 fee but may otherwise be acting in a perfectly legal manner. I'm a big champion of freedom of speech and so this sneaky restriction on speech makes me a tad uncomfortable, but I think that when the guys who want to overthrow the government buy guns, march in lockstep and train in urban warfare, maybe we should do something about it before they start shooting.

PS: I am not trying to overthrow any government at all, but my wife practically had to restrain me as I was desperate to register as a subversive or possibly a foreign agent. (I already have the foreign part down, I just need to find some government that wants to tell me to do stuff) I am expecting that while not a single subversive organization will register (they are crazy, not stupid) the office of the secretary of state will probably be flooded with registrations by college students who have nothing better to do.

Saturday, January 23, 2010

A few days back the New York Times published a rather alarming (or alarmist) piece prompted by the Chinese hacking of Google. (If you have not heard of that, crawl out from under that rock and read any newspaper) That piece is filled with approximations which are probably not very informative for the public at large.

The crown jewels of Google, Cisco Systems or any other technology company are the millions of lines of programming instructions, known as source code, that make its products run. If hackers could steal those key instructions and copy them, they could easily dull the company’s competitive edge in the marketplace.

Is source code important? Yes! Would having Google's source code make my day? Yes! Would it allow me to beat them at their own game? No! Google and most other tech firms actually are not resting on their laurels with the best source code around. Google has data centers around the world to host their data and provide us with services. They have earned the trust of advertisers promising to give them a fair deal despite rather none-transparent (unless you are very good at math) pricing mechanisms. They have earned the trust of millions of people who hand over, their emails, voice mails, medical records, trips etc... Would I trust some shady Chinese hackers possibly backed by their totalitarian government with my private data? No! Would you? I hope not. Furthermore, what happens when Google rolls out the next Google Maps, or the next Gmail? Because they can keep on doing that. They have some of the brightest minds of the industry and a corporate culture which fosters that kind of innovation. Those things do not come with the source code. And Google is by far not an exception. Microsoft Windows is probably far from being the best operating system in the world. Yet they have a market share that dwarfs every other OS on the market. Even free ones! How? Well, the answer is complicated, involving marketing, deals with manufacturers, network externalities and more, but one thing is such: it's not the source code!

More insidiously, if attackers were able to make subtle, undetected changes to that code, they could essentially give themselves secret access to everything the company and its customers did with the software.
The fear of someone building such a back door, known as a Trojan horse, and using it to conduct continual spying is why companies and security experts were so alarmed by Google’s disclosure last week that hackers based in China had stolen some of its intellectual property and had conducted similar assaults on more than two dozen other companies.

Alright, this is properly scary. If the Chinese government is snooping on my email, they probably won't get anything useful, but I would rather they didn't anyhow. Is it likely? Not really. If you are working on a big software project, you are probably familiar with version control systems. It keeps tracks of all changes made to the code and allows the possibility to roll back to previous version if the changes broke something. (A common occurrence, programming is one step forward two steps backward in general) But what that means is that if Chinese hackers introduced a back-door in Gmail

It's probably confined to the alpha or beta-version

There is a suspicious looking record somewhere that must scream out to a developer: "Why the heck did you change the code to include a backdoor?"

It's possible such a thing will be missed but it's not very likely. I can imagine all users whose computers were affected by the break-in were instructed to exercise extreme vigilance and report anything suspicious.

Computer users around the globe have Adobe’s Acrobat or Reader software sitting on their machines to create or read documents, and Adobe’s Flash technology is widely used to present multimedia content on the Web and mobile phones.
“Acrobat is installed on about 95 percent of the machines in the world, and there have been a lot of vulnerabilities found in Flash,” said Jeff Moss, a security expert who sits on the Homeland Security Advisory Council. “If you can find a vulnerability in one of these products, you’re golden.”

Again, properly scary. If they somehow turned Adobe Acrobat or the Flash Plugin into a trojan horse (a program used to access your computer without your consent) there is something to be scared of. However, Adobe is not like Google. They provide software not cloud computing for the most part. So unless the attackers managed to make changes, compile the source code (source code must be translated into machine code in order to have it be something other than a text file and that process can be very time consuming) and push it through the automated update system, it won't matter. And I'm sure that Adobe is quite careful to make sure that nobody has tampered with updates they will push out for the near future.

Given the complexity of today’s software programs, which are typically written by teams of hundreds or thousands of engineers, it is virtually impossible to be perfectly confident in the security of any program, and tampering could very well go undetected.
Companies are understandably reluctant to discuss their security failures. But one notable episode shows just how damaging the secret tampering with source code can be.

Here, the authors of the article run counter to almost two hundred years of security research ever since Dr. Auguste Kerckhoffs made the argument against security through obscurity. (The practice of hiding what your security system is to prevent others from discovering vulnerabilities) If there is a flaw in your system, eventually, somebody will find it. That is just a fact. Now, you have two choices. You can make your system open to legitimate security researchers who will help you fix the vulnerabilities or you can hide it so only those interested in malicious activities will break it open. The article advocates the latter. In reality, security research is largely hit and miss. It's not about a single brilliant single individual finding the "skeleton key to the internet." It's about creativity, inventivity and originality. It's about thinking out of the box. And guess what? The security team who designed the system have a really hard time thinking outside the box they created. More people knowing how your system works is better.

The second claim that the article makes here is that companies do not want to discuss their security failures. That is true. But there is nothing "understandable" about it. Who do you trust? The guy who tells you when he made a mistake or the guy who lies that everything is fine which he's driving you off a cliff. Being open about security issues is what makes customers trust your products. They know there are no known security issues because they trust you would have told them.

Alan Paller, director of research at the SANS Institute, a security education organization, said American technology companies had gotten better about protecting their most prized intellectual property by creating more complex systems for viewing and changing source code. Such systems can keep a detailed account of what tweaks have been made to a software product.

Now, I don't know what he's talking about here for sure, but it does sound a lot like version control systems which I mentioned above. Those are not a couple years old and security is not their primary purpose. They are collaboration tools. They allow multiple people to work on a project and prevent a single mistake from forcing everyone to restart from scratch.

The New York Times is a great paper, but they really need to get better at some issues.

Wednesday, January 6, 2010

I don't know how many of you watch the ABC show Castle, but they apparently have found a way to connect with their fans and make money through means other than locking up content.
The show involves a mystery writer (played by Nathan Fillion) following a New York City police officer (played by Stana Katic) in order to write yet another bestseller: Heat Wave.
ABC has just come out with that book. Now obviously, fictional characters can't write, but if you were not watching the show, there would be little indication that the book was not written by Richard Castle, bestselling author, playboy and amateur detective.
No matter how many people may be illegally downloading the show, you cannot "pirate" a hardcover book with a sleeve showing one of your favorite actors as one of his characters. JPEGs on your hard-drive are just not the same thing. The back cover even quotes actual best selling authors (who make appearances in the show) to sell the fictional author.
The book is a New York Times Best Seller (#26 this week) and I can imagine that must generate some not insignificant revenue.
Nathan Fillion as an actor is no stranger to more innovative business models, though this is most likely not his doing. After building himself a cult following with the short lived TV Series Firefly, he starred in the viral favorite Dr. Horrible's Sing Along Blog which was first released free of charge online before a special-features-packed DVD hit the market.
This is yet another example that, despite what major content middlemen monopolies tell us, there are many ways to make money without depending on copyrights: Make attractive content and sell valuable scarce goods that ride on the popularity of the content.